Thanks a lot. That should be very secure :) --Subfader 12:18, 7 August 2009 (UTC)

It won't help you much against a determined vandal with a bot, though. After he gets the Questy answers, he can feed them into the bot and have it wreak havoc. Leucosticte (talk) 09:32, 20 March 2014 (UTC)

I could confirm this. Ive used 1.16x instead, it seems to work --84.171.29.220 08:56, 4 February 2012 (UTC)

Yeah, copying the Questy* files from 1.16 into the version for 1.13 (which also doesn't have them) works as well.

I had the same problem. The extension page says QuestyCaptcha is supported by MediaWiki "1.6+ (in theory)", but the download for 1.15.x doesn't contain QuestyCaptcha.php. Tim Smith (talk) 03:41, 1 July 2012 (UTC)

To my great surprise, I'm still getting a few spam edits! I can't find anyone talking about spam getting past QuestyCaptcha, so I thought this might be worth mentioning here. My daily spam is reduced from more than 50 to around 3, so I'm a happy user and I recommend QuestyCaptcha, but I'm puzzled by the trickle of spam that persists.

I guess this means there's a human somewhere in the world targeting my site, which is surprising since my site isn't all that big: en.swpat.org. But if it's a human, I wonder why they so rarely beat the captcha - maybe there's a distributed network of people and only some have sufficient English?

I set QuestyCaptcha up with these two questions:

What swims in the sea? (four letters) -> fish

Which wooly farm animal says baaaaa? -> sheep

Account creation and all edits require passing a captcha, but logged in users are exempt. I've had it installed for three days and there've been two spam pages created by IP addresses, three spam accounts created, and three pages created by those spam accounts.

(To see the spam edits, you have to show bot edits[1] - I use RecentChangesCleanup to tag spam as bot edits) Ciaran 23:07, 3 September 2011 (UTC)

Four months later, my spam is down again from 3 per day to 5 per week. I guess some spammers have removed my site from their lists of spammable wikis. Ciaran 12:19, 29 January 2012 (UTC)

I have also seen spammers get past the QuestyCaptcha. Maybe we should do an experiment: set the answer to something random (e.g. password generator output) for a month and see if spammers still gets through (with an email address where humans may ask for the password). If this doesn't stop them, then there is a security problem somewhere. If it does stop them, you can assume that you are fighting a bot using Mechanical Turk or similar. In that case, simply invent a new question with an unique answer every time you catch a spammer. --Maliomero (talk) 11:06, 14 April 2013 (UTC)

Add a log to see which questions your spammers are getting answered correctly, then remove or modify the weak question. To log questycapture events edit extensions/ConfirmEdit/QuestyCaptcha.class.php and add the following to the beginning of the keyMatch function:

Would like to know if the extension allows for multiple answers to a single question, in the event that the end-user spells it wrong... or even doesn't add a capital letter to a proper noun. -- Joe Beaudoin Jr. (talk) 18:23, 13 March 2012 (UTC)

You can provide several acceptable answers to a given question. The answers shall be in lowercase. An example:

I've installed ConfirmEdit with Questy, in my wiki (MW 1.18) but it's not working. I tried creating a new user, but when I do that I succeed without answering the test question! the problem is definitely in Questy, I tried SimpleCaptcha and indeed could not create a user without answering the simple math question.
Osishkin (talk) 17:52, 11 April 2012 (UTC)

Since the questions rotate, couldn't a spammer figure out the answer to one question, and then have an automated script keep making attempts to pass the CAPTCHA until it came back to that question? Leucosticte (talk) 06:47, 11 November 2012 (UTC)

IMO there is no point of having multiple questions that the spammers can choose from. Just a single unique answer should do the trick (exchange it from time to time). And the answer shouldn't be the site's domain name, or things like "5" or "blue" which will be in every dictionary. --Maliomero (talk) 11:06, 14 April 2013 (UTC)

It shouldn't be too hard to do the special page. Probably Special:Interwiki would be a good one to model it after. Another possibility would be to implement it via an editable wiki page that is only viewable by authorized users, if we ever get some decent access restrictions put in place. This would have the advantage of having a page history for reversion and accountability purposes (since the changes to the questions can't be logged, unless access to those log events is to be restricted). Leucosticte (talk) 06:49, 11 November 2012 (UTC)

What's the point of a special page? Would it be for editing question=>answer pairs or for viewing statistics? From what you're saying, it seems you're more interested in editing question=>answer pairs and creating an audit trail. There's no point in providing any "accountability" for the questions though, since you're already on someone else's website and CAPTCHA answers aren't something which are commonly abused. There's no benefit for sysadmins to provide greater transparency either. If anything, it'll let spammers and other potential adversaries know their efforts have been detected and are being addressed. This isn't something that affects user privacy or rights, so transparency is hardly useful and can indeed be harmful to anti-spam efforts.

I do see value in a special page for viewing statistics though. But then again, all the useful information can already be logged to disk using debug options and then subsequently analyzed there. The statistic from which all other metrics are calculated from would be user->question got wrong:wrong answer submitted. Seineliege (talk) 15:55, 4 August 2017 (UTC)

The Question and Answer Setup section claims it is possible to add multiple answers to a question by putting the answers in an array.
This did not work for me.
Using multiple answers in an array, I was consistently told I had provided an incorrect answer. Reducing it to one answer as a string, the answer was recognized.

This is with revision 9fd11f947abc9c51d6403f786471b69f4a2212ee; the README references version 1.2 in the changelog.
- Renegade 2A02:8108:380:145C:0:0:0:3 22:21, 16 June 2014 (UTC)

QuestyCaptcha is part of the ConfirmEdit extension. It is not a separate extension. Content here should be merged into ConfirmEdit's page, and the QuestyCaptcha page should be deleted. It's already got a lot of duplicate information. Yes, it is a module within ConfirmEdit, but based on examples from other extensions which have modules, it should not have it's own page. Ian Kelling (talk) 21:30, 4 September 2014 (UTC)

Especially infuriating when independent wikis utilize this extension, but fail to mention the format for a proper answer. I have failed a captcha 6 times (gave up after the 6th) because I wasn't sure how to answer it.

Example: "What is the second digit of the number five hundred twenty-three million seventy-four thousand eight hundred fifty-six?" and I answer with "5", but it just loads a new Questy. I have written out the number answer and tried reversing the order of digits as well.My inquiry to the community, is there a specific place that would house the documentation on the individual wiki that dictates how to answer the captcha? If so, where should I look for it? Kektklik (talk) 03:52, 20 October 2016 (UTC)

@Kektklik - you'd have to ask the webmaster of the site. Nobody puts out any documentation for their Questy format though, because it's all the same. Simply answer the question using the most obvious and logical requested answer. I'm guessing the correct answer to the CAPTCHA you posted would've been 2, since the number is 523074856. The second digit from the left is 2. Or it could be 0 because the first portion is "five hundred" and the webmaster miscalculated. Or it could be that the webmaster put the wrong answer in the array and no common sense answers are valid. The only way to avoid this type of issue is for webmasters to use clear and concise questions that can't be misunderstood, but that's something they have to do on their own. Seineliege (talk) 15:37, 4 August 2017 (UTC)